asterisk

Commit Graph

Author	SHA1	Message	Date
Ben Ford	259ecfa289	STIR/SHAKEN: Fix certificate type and storage. During OpenSIPit, we found out that the public certificates must be of type X.509. When reading in public keys, we use the corresponding X.509 functions now. We also discovered that we needed a better naming scheme for the certificates since certificates with the same name would cause issues (overwriting certs, etc.). Now when we download a public certificate, we get the serial number from it and use that as the name of the cached certificate. The configuration option public_key_url in stir_shaken.conf has also been renamed to public_cert_url, which better describes what the option is for. https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021 Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d	2021-05-11 09:29:57 -05:00
Ben Ford	9acf840f7c	res_stir_shaken: Implemented signature verification. There are a lot of moving parts in this patch, but the focus of it is on the verification of the signature using a public key located at the public key URL provided in the JSON payload. First, we check the database to see if we have already downloaded the key. If so, check to see if it has expired. If it has, redownload from the URL. If we don't have an entry in the database, just go ahead and download the public key. The expiration is tested each time we download the file. After that, read the public key from the file and use it to verify the signature. All sanity checking is done when the payload is first received, so the verification is complete once this point is reached. The XML has also been added since a new config option was added to general (curl_timeout). The maximum amount of time to wait for a download can be configured through this option, with a low value by default. Change-Id: I3ba4c63880493bf8c7d17a9cfca1af0e934d1a1c	2020-05-01 06:31:46 -05:00
Ben Ford	211bb8a79c	res_stir_shaken: Initial commit and reading private key. This commit sets up some of the initial framework for the module and adds a way to read the private key from the specified file, which will then be appended to the certificate object. This works fine for now, but eventually some other structure will likely need to be used to store all this information. Similarly, the caller_id_number is specified on the certificate config object, but in the end we will want that information to be tied to the certificate itself and read it from there. A method has been added that will retrieve the private key associated with the caller_id_number passed in. Tab completion for certificates and stores has also been added. Change-Id: Ic4bc1416fab5d6afe15a8e2d32f7ddd4e023295f	2020-03-25 18:04:22 -05:00

Author

SHA1

Message

Date

Ben Ford

259ecfa289

STIR/SHAKEN: Fix certificate type and storage.

During OpenSIPit, we found out that the public certificates must be of
type X.509. When reading in public keys, we use the corresponding X.509
functions now.

We also discovered that we needed a better naming scheme for the
certificates since certificates with the same name would cause issues
(overwriting certs, etc.). Now when we download a public certificate, we
get the serial number from it and use that as the name of the cached
certificate.

The configuration option public_key_url in stir_shaken.conf has also
been renamed to public_cert_url, which better describes what the option
is for.

https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021

Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d

2021-05-11 09:29:57 -05:00

Ben Ford

9acf840f7c

res_stir_shaken: Implemented signature verification.

There are a lot of moving parts in this patch, but the focus of it is on
the verification of the signature using a public key located at the
public key URL provided in the JSON payload. First, we check the
database to see if we have already downloaded the key. If so, check to
see if it has expired. If it has, redownload from the URL. If we don't
have an entry in the database, just go ahead and download the public
key. The expiration is tested each time we download the file. After
that, read the public key from the file and use it to verify the
signature. All sanity checking is done when the payload is first
received, so the verification is complete once this point is reached.

The XML has also been added since a new config option was added to
general (curl_timeout). The maximum amount of time to wait for a
download can be configured through this option, with a low value by
default.

Change-Id: I3ba4c63880493bf8c7d17a9cfca1af0e934d1a1c

2020-05-01 06:31:46 -05:00

Ben Ford

211bb8a79c

res_stir_shaken: Initial commit and reading private key.

This commit sets up some of the initial framework for the module and
adds a way to read the private key from the specified file, which will
then be appended to the certificate object. This works fine for now, but
eventually some other structure will likely need to be used to store all
this information. Similarly, the caller_id_number is specified on the
certificate config object, but in the end we will want that information
to be tied to the certificate itself and read it from there.

A method has been added that will retrieve the private key associated
with the caller_id_number passed in. Tab completion for certificates and
stores has also been added.

Change-Id: Ic4bc1416fab5d6afe15a8e2d32f7ddd4e023295f

2020-03-25 18:04:22 -05:00

3 Commits